Closed
Bug 1162176
Opened 9 years ago
Closed 9 years ago
Stop sending full IndexedDB database names as part of SlowSQL telemetry
Categories
(Toolkit :: Telemetry, defect)
Toolkit
Telemetry
Tracking
()
RESOLVED
FIXED
mozilla41
People
(Reporter: bent.mozilla, Assigned: bent.mozilla)
References
Details
(Keywords: privacy, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main41-])
Attachments
(2 files, 6 obsolete files)
14.28 KB,
patch
|
mak
:
review+
|
Details | Diff | Splinter Review |
19.98 KB,
patch
|
janv
:
review+
|
Details | Diff | Splinter Review |
We're sending the full database filename now, which can easily be reverse-munged to see the name that a website gave the database. Most names are probably not a problem (beyond privacy leaks) but there's nothing stopping a website from naming one something like "email@server.com" or "username:password". As discussed in bug 1161224 the plan is to normalize the names we send in telemetry to "db1", "db2", etc.
Assignee | ||
Comment 1•9 years ago
|
||
This allows storage consumers to specify a different database name for telemetry, and also allows consumers to report telemetry even if they don't appear in the whitelist.
Assignee | ||
Comment 2•9 years ago
|
||
This gives every non-chrome IndexedDB database a session-unique name for telemetry reporting purposes.
Attachment #8603863 -
Flags: review?(Jan.Varga)
Comment 3•9 years ago
|
||
Comment on attachment 8603863 [details] [diff] [review] Part 2: Mask IndexedDB database names for non-chrome databases Review of attachment 8603863 [details] [diff] [review]: ----------------------------------------------------------------- Looks good! Just one comment below. ::: dom/indexedDB/ActorsParent.cpp @@ +8638,5 @@ > + // Any databases in these directories are owned by the application and should > + // not have their filenames masked. Hopefully they also appear in the > + // Telemetry.cpp whitelist. > + if (origin.EqualsLiteral("chrome") || > + origin.EqualsLiteral("moz-safe-about+home")) { What about indexeddb:// origins (addon-sdk uses it) ? You could use QuotaManager::IsOriginWhitelistedForPersistentStorage() is case they should be included here.
Attachment #8603863 -
Flags: review?(Jan.Varga) → review+
Assignee | ||
Comment 4•9 years ago
|
||
(In reply to Jan Varga [:janv] from comment #3) > What about indexeddb:// origins (addon-sdk uses it) ? Yeah, I considered that. We'll still see the data for any statements that get run but the name will be obfuscated. Maybe someday we'll have a need to see more database names but I don't think I care right now.
Comment 5•9 years ago
|
||
Unless I'm misunderstanding this doesn't sound like a serious security problem since we don't know of any bad names that could result in telemetry website vulnerabilities. Clearly it's serious from a privacy standpoint though.
Keywords: privacy,
sec-moderate
Comment 6•9 years ago
|
||
I think we might rather modify the whitelist code to accept "wildcards", so that it will track databases starting with indexedDB- or other prefixes. Tracking both a special name and alwaysRecordTelemetry looks like an unneeded complication, to me it's pretty clear if the consumer takes care of providing an alternative telemetry name, it wants to opt-in to telemetry (so in any case I'd remove the alwaysRecordStatement property and just check if telemetryFilename is defined). Avoiding a plain whitelist bypass would also allow us to retain more control about what we care about.
Updated•9 years ago
|
Attachment #8603862 -
Flags: review?(mak77)
Assignee | ||
Comment 7•9 years ago
|
||
(In reply to Marco Bonardo [::mak] from comment #6) > I think we might rather modify the whitelist code to accept "wildcards", so > that it will track databases starting with indexedDB- or other prefixes. > Tracking both a special name and alwaysRecordTelemetry looks like an > unneeded complication, to me it's pretty clear if the consumer takes care of > providing an alternative telemetry name, it wants to opt-in to telemetry (so > in any case I'd remove the alwaysRecordStatement property and just check if > telemetryFilename is defined). But we want to see actual db names for chrome databases since there's no privacy concern and we can make specific changes to those dbs if data shows we need to... I suppose that I could just always set the telemetryFilename option to the db filename in that case, is that what you're saying? > Avoiding a plain whitelist bypass would also allow us to retain more control > about what we care about. Well, then every person that makes a chrome indexedDB database has to remember to add it to the whitelist. Someone remembered to do that for about:home (belatedly), but the folks who did the 'push' database still haven't figured out that they should do it. As the number of databases used in chrome increases I think we'll have more forgetfulness like this...
Flags: needinfo?(mak77)
Assignee | ||
Comment 8•9 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #5) > Unless I'm misunderstanding this doesn't sound like a serious security > problem since we don't know of any bad names that could result in telemetry > website vulnerabilities. Clearly it's serious from a privacy standpoint > though. Yes!
Assignee | ||
Comment 9•9 years ago
|
||
The only difference here is that this gets rid of the special 'always' flag being passed in via the query params. I didn't do the whitelist change yet because of the issues I raised in comment 7, would love to know what you think about those.
Attachment #8603862 -
Attachment is obsolete: true
Attachment #8605377 -
Flags: review?(mak77)
Assignee | ||
Comment 10•9 years ago
|
||
This just updates the IndexedDB code to not send the 'always' flag to storage any more.
Attachment #8603863 -
Attachment is obsolete: true
Attachment #8605383 -
Flags: review?(Jan.Varga)
Assignee | ||
Comment 11•9 years ago
|
||
Updated•9 years ago
|
Attachment #8605383 -
Flags: review?(Jan.Varga) → review+
Assignee | ||
Updated•9 years ago
|
Attachment #8605384 -
Attachment is obsolete: true
Comment 12•9 years ago
|
||
(In reply to Ben Turner [:bent] (use the needinfo flag!) from comment #7) > But we want to see actual db names for chrome databases since there's no > privacy concern and we can make specific changes to those dbs if data shows > we need to... I suppose that I could just always set the telemetryFilename > option to the db filename in that case, is that what you're saying? Sorry, maybe I'm misunderstanding. What I understood is that nothing is changing for currently tracked dbs, the only thing we want is to replace names of indexedDB databases with things like indexedDB-1, indexedDB-2 and so on. Telemetry methods get the dbName so telemetry itself doesn't care, it will just trust what we pass. So yes, we could pass indexedDB-1, -2 and so on, for chrome dbs we could pass their filename. This means people will have to keep adding dbs to the whitelist if they want telemetry (see below). The whitelisting could not be too complex, we can decide for a special char that separates the prefix from the numbering, RFind and split on it, just putting the prefix in the whitelist hash. > > Avoiding a plain whitelist bypass would also allow us to retain more control > > about what we care about. > > Well, then every person that makes a chrome indexedDB database has to > remember to add it to the whitelist. Someone remembered to do that for > about:home (belatedly), but the folks who did the 'push' database still > haven't figured out that they should do it. As the number of databases used > in chrome increases I think we'll have more forgetfulness like this... True, but this is also valid if they add a normal .sqlite database. I think it's the module/feature owner responsibility to figure out if they can benefit from telemetry and we could disable less important probes to save resources, if we wish. It's not complicated to add to the whitelist, nor to review patches doing that. For example I don't think about:home telemetry is useful, due to the simplicify of its contents, and I'd have no problems disabling it if we'd need to save on resources. The same way, by having a whitelist we can check nobody reports a db name that can hurt users privacy, while if we provide the bypass, nobody will check if someone bypasses the whitelist with user@domain.sqlite (luckily we are deprecating binary add-ons, or they could have used the bypass...) I'm not going to block you on this, since both approaches have some pro and cons, but I would like to get your opinion on retaining more control over what we report, rather than providing a bypass of our control.
Flags: needinfo?(mak77)
Assignee | ||
Comment 13•9 years ago
|
||
Yeah, I'm fine maintaining the whitelist approach and matching based on prefix. I guess if we see untracked chrome indexedDB databases in telemetry then we can just file a bug on the owner to get it in the whitelist. Until then it's not vital that we get every chrome database reported anyway. I talked with vladan and he was fine with our whitelist not being a runtime-generated hashtable but just a static array. I went the extra mile and did compile-time length generation too so we don't have to do strlen() any more so this should be pretty zippy.
Attachment #8605377 -
Attachment is obsolete: true
Attachment #8605377 -
Flags: review?(mak77)
Attachment #8605960 -
Flags: review?(mak77)
Assignee | ||
Comment 14•9 years ago
|
||
Similar to the way it used to be.
Attachment #8605383 -
Attachment is obsolete: true
Attachment #8605963 -
Flags: review?(Jan.Varga)
Assignee | ||
Comment 15•9 years ago
|
||
Updated•9 years ago
|
Attachment #8605963 -
Flags: review?(Jan.Varga) → review+
Assignee | ||
Updated•9 years ago
|
Attachment #8605964 -
Attachment is obsolete: true
Comment 16•9 years ago
|
||
Comment on attachment 8605960 [details] [diff] [review] Part 1: Add dynamic whitelisting to SlowSQL telemetry, v2 Review of attachment 8605960 [details] [diff] [review]: ----------------------------------------------------------------- LGTM! Thank you for making this. ::: storage/src/mozStorageConnection.cpp @@ +604,5 @@ > mDBConn = nullptr; > return convertResultCode(srv); > } > > + // Leave mDatabaseFile and mFileURL empty to get a 'memory' database. The comment as-is sounds a little bit strange without nothing happening after it... Maybe something more verbose like: // Do not populate mDatabaseFile and mFileURL here, since this is a "memory" database. @@ +634,5 @@ > return convertResultCode(srv); > } > > + // Leave mFileURL empty to get a disk-backed database with no additional > + // options. ditto (even if here it's clearer since we populate mDatabaseFile) @@ +666,5 @@ > return convertResultCode(srv); > } > > + // Set both mDatabaseFile and mFileURL to get a disk-backed database with > + // additional options. ditto (here I think "to get a disk-backed..." is a little unclear since populating these fields it's unlikely needed to "get" the database) I think using in all the three cases a variation of the comment I suggested above, could work. @@ +684,3 @@ > > + if (mFileURL) { > + const char* dbPath = sqlite3_db_filename(mDBConn, "main"); please prefix with :: @@ +686,5 @@ > + const char* dbPath = sqlite3_db_filename(mDBConn, "main"); > + MOZ_ASSERT(dbPath); > + > + const char* telemetryFilename = > + sqlite3_uri_parameter(dbPath, "telemetryFilename"); ditto @@ +699,5 @@ > + if (mTelemetryFilename.IsEmpty()) { > + mTelemetryFilename = getFilename(); > + } > + > + MOZ_ASSERT(!mTelemetryFilename.IsEmpty()); nit: the empty line above this doesn't look useful
Attachment #8605960 -
Flags: review?(mak77) → review+
Assignee | ||
Comment 17•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e183bcc18cd3 https://hg.mozilla.org/integration/mozilla-inbound/rev/ba117e790ece
Comment 18•9 years ago
|
||
Backed out for bustage. https://treeherder.mozilla.org/logviewer.html#?job_id=9973032&repo=mozilla-inbound https://hg.mozilla.org/integration/mozilla-inbound/rev/3bc47925ba63
Assignee | ||
Comment 19•9 years ago
|
||
GCC doesn't like that constexpr...
Assignee | ||
Comment 20•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=58aa31b3ba81
Assignee | ||
Comment 21•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=e3cc8cf3c085
Assignee | ||
Comment 22•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/280dae3918d9 https://hg.mozilla.org/integration/mozilla-inbound/rev/fba019b3618f
Comment 23•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/280dae3918d9 https://hg.mozilla.org/mozilla-central/rev/fba019b3618f
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox41:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Assignee | ||
Comment 24•9 years ago
|
||
The bustage fix was simple: struct TrackedDBEntry { const char* mName; const uint32_t mNameLength; + + MOZ_CONSTEXPR + TrackedDBEntry(const char* aName, uint32_t aNameLength) + : mName(aName) + , mNameLength(aNameLength) + { } // This struct isn't meant to be used beyond the static arrays below. TrackedDBEntry() = delete; TrackedDBEntry(TrackedDBEntry&) = delete; };
Comment 26•9 years ago
|
||
We probably don't need to back-port this. Fabrice says current b2g master sends telemetry, but shipping devices don't. That argues against the need to fix this on old b2g branches, also.
status-b2g-v2.0:
--- → disabled
status-b2g-v2.0M:
--- → disabled
status-b2g-v2.1:
--- → disabled
status-b2g-v2.1S:
--- → disabled
status-b2g-v2.2:
--- → disabled
status-b2g-master:
--- → fixed
status-firefox39:
--- → affected
status-firefox40:
--- → affected
status-firefox-esr31:
--- → affected
status-firefox-esr38:
--- → affected
Flags: needinfo?(dveditz) → needinfo?(ptheriault)
(In reply to Daniel Veditz [:dveditz] from comment #26) > We probably don't need to back-port this. > > Fabrice says current b2g master sends telemetry, but shipping devices don't. > That argues against the need to fix this on old b2g branches, also. Sounds good to me.
Flags: needinfo?(ptheriault)
Assignee | ||
Comment 28•9 years ago
|
||
Bug 922898 should be marked as a dup of this once this bug is public.
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main41+]
Updated•9 years ago
|
Alias: CVE-2015-4517
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage][adv-main41+] → [post-critsmash-triage][adv-main411]
Updated•9 years ago
|
Alias: CVE-2015-4517
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage][adv-main411] → [post-critsmash-triage][adv-main41-]
Updated•9 years ago
|
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•